Pinning KDC IP addresses.

g.w@hurderos.org g.w at hurderos.org
Thu Feb 15 01:28:36 EST 2007 

Good evening, hope the week is going well for everyone.

We now have a full implementation of OTI up and running and are
sorting out assorted details before our full release.  The identity
based soft-token technology is proving to be an interesting
alternative technology for multi-factor authentication.

One of the issues which is a bit problematic in working against the
MIT sources is the issue of pinning AS_REQ's to a particular IP
address.  This strategy appears to be attractive in developing a
robust replay avoidance mechanism not only for OTI but other hardware
pre-authentication mechanisms as well.

In the current MIT codebase packetization of the AS_REQ occurs well
before transmission of the request.  As a result it is somewhat
difficult to modify the payload to coincide with the IP address of the
KDC being targeted by the krb5_sendto routine.

The most straight forward strategy would seem to be to push
packetization downward into the krb5_sendto_kdc function.  If
packetization were delayed until after IP address selection was
completed the address could be made available to a plugin for final
payload modification before transmission.  It would seem straight
forward to accomplish this by passing the krb5_kdc_req structure
pointer all the way down to the krb5_sendto_kdc function.

Is this something which makes sense for the 1.7 development process?

Sam mentioned in his outline that a more efficient replay avoidance
implementation was being considered as part of future development
plans.  The ability to more precisly pin requests to a KDC would seem
to be a positive move toward a more robust replay avoidance strategy.

As always,
Greg Wettstein

------------------------------------------------------------------------------
			 The Hurderos Project
         Open Identity, Service and Authorization Management
                       http://www.hurderos.org

"Artifical Intelligence stands no chance against Natural Stupidity."
                                -- John Henders

More information about the krbdev mailing list